What the IDOR advisory means for enterprise access control and authorization strategies
Recently the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) released a joint advisory that warns developers, vendors, and organizations of access control vulnerabilities in web applications.
The warning describes insecure direct object reference (IDOR) issues which allows bad actors to read or modify sensitive data via a website or web application programming interface (API) request that include the identifier of a valid user.
Coming on the heels of the recent Microsoft email hack and as the U.S. Securities & Exchange Commission (SEC) requires enterprises to disclose breaches, now more than ever enterprises want to avoid attacks, hacks and breaches.
But how do you decrease this risk?
The time for Zero Trust is now
The lack of fine-grained access, or in other words not implementing a Zero Trust model is dangerous.
The joint advisory points this out as when a web application lets an authenticated user log on does not mean the application owner has provided appropriate security for that application or that individual user.
In fact, the advisory suggests organizations implement both a “security by default” and “security by design” approach, both of which are intrinsically Zero Trust in nature. Implementing this guidance would likely end risky behavior including leaving open a session trace based on only one validation point (in this case, authentication).
Enterprises that ensure their applications adopt a Zero Trust model constantly check for things like age, location, device, etc to re-authorize what the user is doing. This makes the web application more secure and makes it less likely for bad actors to slip through the application.
The IDOR code is insecure from the start which opens it up to many risks as mentioned in the advisory.
Understanding access control and why it is important at the very beginning of the development cycle is time-intensive, particularly if you are asking your development team to implement and test code to create policies unique to each application.
This is where policy-as-code can come in to alleviate the burden on development teams and bridge the developers and identity and access management (IAM) teams.
Policy-as-code enables developers and IAM teams to leverage code-based automation instead of relying on manual processes to manage policies.
This allows teams to interface through one language that seamlessly integrates with their continuous integration and continuous delivery/continuous deployment (CI/CD) pipelines. It ensures IAM policies are consistent across your organization without burdening the development team with additional, time-intensive activities.
Abolishing the stigma around policies
Currently, there is a stigma around policies with developers, who may believe they are too difficult to incorporate.
Often, developers will go down the path of “do you want the application now or a few years from now?” as they note they will have to build authorization into the application and mention how complicated that will be to do.
They often say this because of a lack of knowledge around the authorization solutions available. There are many solutions, like our Orchestrated Authorization solution, that can protect the application and implement authorization which constantly re-authorizes users.
Access control must be a key tenant of API security
When organizations build policies with access control and leverage API Gateways as an enforcement point, they accelerate their ability to scale and add a fine-grained access control model across their applications.
This in turn lets the architecture serve the Zero Trust goals as a way to continuously enforce policy against critical attributes such as risk, time, location, classification, role, etc.
Therefore, protecting your APIs from bad actors and reducing your security risk.
Authorization vendors, like Axiomatics, have done the complex part for you so it is easy to implement authorization in your web application and APIs.